Ransomware, Malware, Threat Intelligence

New malware family NotLockBit aims ransomware attacks toward macOS

MacOS logo (Mac OS X), an operating system developed by Apple Inc., displayed on a MacBook Pro screen

(Adobe Stock)

While ransomware on macOS remains a small and unlikely threat, SentinelOne researchers believe that a new malware family dubbed "macOS.NotLockBit" has made advancements that could emerge as a credible threat to Apple computers.

SentinelOne researchers said in an Oct. 22 blog post that ransomware threats for Macintosh computers were mostly in the proof-of-concept (PoC) stage and largely incapable of succeeding in corrupting a system.

SentinelOne gave it the name macOS.NotLockBit because it’s from a different threat actor that's apparently appropriating the LockBit name, and earlier research such as the blog posted by TrendMicro last week did not give it a specific name. Interestingly enough, the SentinelOne researchers noted that LockBit was involved in one of the more credible previous ransomware attempts on macOS to date.

“As stated in our earlier research, previous attempts at ransomware on macOS were never really genuine threats to users, and there are no recorded cases of any organizations paying out a ransom to a threat actor to unlock or retrieve their own files,” explained Phil Stokes, senior researcher at SentinelLabs.

Stokes said there are at least four notable points about this threat:

  • Fully developed infrastructure: Unlike other PoCs, this malware was backed by a fully developed infrastructure for exfiltrating and storing victim data, a necessary step in any large-scale campaign where attackers expect to have to deal with large amounts of data from multiple victims. This suggests the attacker has serious ambitions.
  • Asymmetric encryption: The malware has a functional asymmetric encryption scheme (unlike say,
    EvilQuest/ThiefQuest, which used an amateurish symmetric encryption making it possible to decrypt files without aid from the attacker), meaning that it would be impossible to decrypt locked files without the attacker’s aid.
  • Sophisticated diversion techniques: The malware developer used a LockBit “wallpaper” in an attempt to either (or both) raise their own credibility to increase chances of getting a payout and/or misattribute attacks to known groups as a means of diverting attention from law enforcement.
  • Indicators of ongoing development: The threat seems to have been discovered before being distributed in an active campaign. However, since the most recent samples SentinelOne discovered date back to May 2024, it’s a reasonable assumption that further work has been done in the interim, and it may not be long before we see the next stage of development from this threat actor

    • Past ransomware attempts on macOS

    Jason Soroko, senior fellow at Sectigo, pointed out that macOS-focused ransomware such as MacRansom (2017) and EvilQuest (2020) have actively infected macOS systems in the past. NotLockBit encrypts files using asymmetric encryption, which means that there is much less possibility to decrypt data without the private key. 

    Soroko said the encryption of the master key used to encrypt is based on a RSA 2048 public key which makes it particularly robust. The ransomware then exfiltrates data to an Amazon S3 bucket for double extortion.

    “NotLockBit seems to be designed to take advantage of people’s willingness to sometimes click through warning messages, specifically thrown by macOS transparency, consent, and control (TCC) framework,” said Soroko. “TCC in macOS is designed to enhance security, but it’s not perfect, especially when malware is capable of trusted process abuse where attackers leverage legitimate system processes or applications that already have the necessary permissions to bypass macOS TCC.  However, in this case, attackers are mostly relying on people ignoring warning messages.”

    John Bambenek, president at Bambenek Consulting, added that ransomware for macOS has been somewhat rare and usually confined to distribution via Torrent sites. Bambenek said this family is what's considered by researchers “modern” ransomware that an attacker could use to lock up a Mac.

    “That being said, researchers haven’t seen this in the wild in terms of actually attacking victims and would need some distribution mechanism to infect Macs in an organization as a whole,” said Bambenek. “For now, the only thing teams should be aware of is that the sense of invulnerability they may have to ransomware due to using macOS is now unfounded and they should ensure strong EDR is loaded on corporate devices.”

    An In-Depth Guide to Ransomware

    Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

    Related

    Upswing in third-party breaches observed

    SiliconAngle reports that third-party compromise accounted for 36% of all data breaches last year, which may still be undervalued due to inadequate reporting and improper classification, highlighting the escalation in vendor-driven attacks.

    Related Events

    Get daily email updates

    SC Media's daily must-read of the most current and pressing daily news

    By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

    Related Terms

    AdwareCorruptionDNS SpoofingDeauthentication AttackDeepfakeDictionary AttackDomain HijackingDrive-by DownloadGoogle HackingReconnaissance

    You can skip this ad in 5 seconds